跳到主要内容

内存镜像分析

备注

一黑客通过互联网扫描, 发现某企业的互联网入口, 经过一系列操作将工控机进行了锁定, 你能通过分析内存镜像, 破解黑客留下的登录密码吗,并找到 FLAG

flag 形式为 flag{}

直接使用 Volatility2 进行提取

PS D:\Downloads\memory_04> .\volatility_2.6_win64_standalone.exe -f .\memory imageinfo
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (D:\Downloads\memory_04\memory)
                      PAE type : PAE
                           DTB : 0xad6000L
                          KDBG : 0x80546ae0L
          Number of Processors : 1
     Image Type (Service Pack) : 3
                KPCR for CPU 0 : 0xffdff000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2019-01-16 03:19:05 UTC+0000
     Image local date and time : 2019-01-16 11:19:05 +0800

确定内核版本为 WinXPSP2x86 之后,分析 LSASS 凭据信息

PS D:\Downloads\memory_04> .\volatility_2.6_win64_standalone.exe -f .\memory --profile=WinXPSP2x86 lsadump
Volatility Foundation Volatility Framework 2.6
ERROR   : volatility.debug    : Unable to read LSA secrets from registry

PS D:\Downloads\memory_04> .\volatility_2.6_win64_standalone.exe -f .\memory --profile=WinXPSP2x86 hashdump
Volatility Foundation Volatility Framework 2.6
Administrator:500:0182bd0bd4444bf867cd839bf040d93b:c22b315c040ae6e0efee3518d830362b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:132893a93031a4d2c70b0ba3fd87654a:fe572c566816ef495f84fdca382fd8bb:::

对得到的哈希进行查询彩虹表

NTLM HashPlaintext
c22b315c040ae6e0efee3518d830362b123456789
31d6cfe0d16ae931b73c59d7e0c089c0
fe572c566816ef495f84fdca382fd8bbNot found

对得到的结果计算 MD5 即可得到答案

flag{25f9e794323b453885f5181f1b624d0b}